For some time we’ve wanted a mechanism to alert snap publishers who use ‘stage-packages’ in their snapcraft.yaml when USNs (Ubuntu Security Notices) have been issued for their staged packages so that the publisher can rebuild the snap with the security updates. All the pieces have come together (snapcraft, store, review-tools, internal hosting, etc) and we are now sending alerts via email.
Phase 1 of the service has limited store integration so the configurability of the service is also limited. Phase 2 of the service will have fuller store integration.
The service works as follows:
- snaps built with SNAPCRAFT_BUILD_INFO=1 will have a snap/manifest.yaml inserted into the snap before the ‘snapcraft pack’ step
- Any snaps built on Launchpad will have SNAPCRAFT_BUILD_INFO=1 set automatically
- non-LP builds opt-in to the service by setting this environment variable
- periodically the service will examine snaps that have manifest.yaml files for their currently published channels/tracks and checks if USNs have been issued for the versions of the staged packages in the snap. If any revisions are affected, the tool will generate a report to send via email
- the tool records the emails that have already been sent for USNs by revisions of the snap and will only send the email for a particular report once, unless something changes in the report (eg, a new USN affects the snap or a new affected revision of the snap is published)
- the report will be emailed to the publisher email and the uploader email by default. The tool has support for sending to additional addresses. For example, we are using this for various Canonical-owned snaps. In phase 2 I would expect this to be configurable via web UI
If you discover any issues, please report it either here in the forum using the ‘store’ tag or at https://bugs.launchpad.net/review-tools/+filebug.